Decree 165/2025/ND-CP detail the Law on Data

DECREE

Detailing a number of articles and measures
for the implementation of the Law on Data

^____________

Pursuant to the February 18, 2025 Law on Organization of the Government;

Pursuant to the November 30, 2024 Law on Data;

At the proposal of the Minister of Public Security;

The Government promulgates the Decree detailing a number of articles and measures for the implementation of the Law on Data.

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

This Decree details Clause 3 Article 13, Clause 5 Article 14, Clause 5 Article 15, Clause 3 Article 16, Clause 4 Article 17, Clause 4 Article 18, Clause 3 Article 20, Clause 5 Article 21, Clause 5 Article 22, Clause 4 Article 23, Clause 5 Article 25, Clause 4 Article 26, Clause 4 Article 27, Clause 3 Article 30, Clause 8 Article 31, Clause 5 Article 35, Clause 4 Article 36, and Clause 3 Article 37 of the Law on Data and the establishment, development, protection, governance, processing, and use of data; the assurance of resources for the operation of the National Data Center; the responsibilities of agencies, organizations, and individuals related to data activities.

Article 2. Subjects of application

1. Vietnamese agencies, organizations, and individuals.

2. Foreign agencies, organizations, and individuals in Vietnam.

3. Foreign agencies, organizations, and individuals directly participating in or related to digital data activities in Vietnam.

Chapter II

DATA PROCESSING ACTIVITIES

Article 3. Criteria for determining important data

The determination of important data shall be based on the extent of potential impact of the data on national defense, public security, cryptography, foreign affairs, macroeconomics, social stability, public health, and public safety in the event of unauthorized collection or use (excluding state secrets), including:

1. Data that may cause dangerous impact on the national security, independence, sovereignty, unification, and territorial integrity of the Fatherland, the protection of the Party, the State, and the great national unity bloc; the protection of political security, security in the fields of ideology and culture, economy, national defense, foreign affairs, information, society, natural resources, environment, agriculture, biology, healthcare, labor, construction, education, training, science, and technology.

2. Data that may cause dangerous impact on the planning of foreign relations development, affect national interests and international cooperation security, Vietnam’s overseas investment projects, the security of energy and maritime.

3. Data that may cause dangerous impact on the development and operation of the macroeconomy, critical national economic sectors, aggregate supply and demand of society, the total national economic value, unemployment rate, monetary sector, commerce, export, import, and the supply of essential goods, products, and services.

4. Data that may cause dangerous impact on the life, health, honor, dignity, property, lawful rights and interests of agencies, organizations, and individuals; the prevention and combating of epidemics, the prevention, monitoring, and treatment of infectious diseases and occupational diseases, food safety and hygiene; labor supply and the provision of public services.

Article 4. Criteria for determining core data

The determination of core data shall be based on the direct impact of the data causing danger to national defense, public security, cryptography, foreign affairs, macroeconomics, social stability, public health, and public safety in the event of unauthorized collection or use (excluding state secrets), including:

1. Data directly causing dangerous impact on the national security, independence, sovereignty, unification, and territorial integrity of the Fatherland, the protection of the Party, the State, and the great national unity bloc; the protection of political security, security in the fields of ideology and culture, economy, national defense, foreign affairs, information, society, natural resources, environment, agriculture, biology, healthcare, labor, construction, education, training, science, and technology.

2. Data directly causing dangerous impact on the planning of foreign relations development, affect national interests and international cooperation security, Vietnam’s overseas investment projects, the security of energy and maritime.

3. Data directly causing dangerous impact on the development and operation of the macroeconomy, critical national economic sectors, aggregate supply and demand of society, the total national economic value, unemployment rate, monetary sector, commerce, export, import, and the supply of essential goods, products, and services.

4. Data directly causing dangerous impact on the life, health, honor, dignity, property, lawful rights and interests of agencies, organizations, and individuals; the prevention and combating of epidemics, the prevention, monitoring, and treatment of infectious diseases and occupational diseases, food safety and hygiene; labor supply and the provision of public services.

Article 5. Data storage activities

1. Data owners shall prescribe a specific retention period for data that they collect or generate.

2. State agencies shall promulgate technical procedures for storing data under their management, ensuring the secure storage of data.

3. The National Data Center shall establish data storage services to meet the needs of data owners and data administrators. Data owners and data administrators shall coordinate with the National Data Center to develop plans and implementation roadmaps in accordance with specific data storage services.

Article 6. Data access and retrieval

1. Data access means the activity of approaching or interacting with data in accordance with the granted rights, including read access, write access, edit access, delete access, execute access, and other types of access as prescribed by data owners or data administrators.

2. Data retrieval means the activity of accessing and exploiting data, including manual retrieval, automated retrieval, real-time retrieval, and other types of retrieval as prescribed by data owners or data administrators.

3. Principles for data access and retrieval:

a) Ensuring legality and compliance with the procedures for data access and retrieval;

b) Accessing and retrieving data only within the scope of the granted rights and as necessary for the specified purpose.

4. State agencies shall promulgate technical procedures for data access and retrieval regarding data under their management, including the following main contents:

a) Management of registered user information;

b) Management of access and retrieval authorization;

c) Management of access and retrieval logs;

d) Management of data access and retrieval tools.

Article 7. Supporting data owners in connecting and sharing data with state agencies

State agencies shall implement measures to support data owners in connecting and sharing data with state agencies, including:

1. Developing information systems to ensure the connection and sharing of data; protecting and using the data shared by data owners in accordance with the specified purposes.

2. Developing procedures, applications, and software to enable data owners to exercise their rights over the data provided for state agencies in accordance with law provisions.

3. Ministers, Heads of ministerial-level agencies, agencies attached to the Government, and Chairpersons of the People’s Committees of provinces and centrally governed cities shall decide on the support for data owners, including:

a) Support for connection transmission lines; support for tools to ensure compliance with technical standards for connection and sharing; support for infrastructure and information security and safety;

b) Support for funding to ensure connection and sharing; support for reimbursement of costs incurred in data creation and collection in accordance with the standards set by state agencies;

c) Support for human resources to carry out data connection and sharing; support for training and capacity building of human resources serving data connection and sharing;

d) Other forms of support.

Article 8. Providing data for state agencies

1. Individuals and organizations are encouraged to share and provide their data for state agencies with purposes serving the common interest, such as healthcare, climate change, traffic improvement, facilitation of aggregation and dissemination of official statistics, enhancement of public service delivery, public policy planning, or scientific research purposes.

Organizations and individuals shall share and provide data voluntarily on the basis of the data subject’s consent for processing personal data related to them, or the data owner’s authorization permitting the use of their non-personal data.

2. State agencies shall request organizations and individuals to provide data in accordance with Clause 2 Article 18 of the Law on Data as follows:

a) Issuing a written request or other form ensuring acknowledgement of the request for data provision, clearly specifying the type of data, level of detail, volume of data, frequency of data access, method of data provision, legal basis, grounds and reasons for the request, purpose of data use, duration of use and deadline for data provision, and the intended data processing activities;

b) Notifying the organizations and individuals requested to provide data of the sanctions to be applied in case of non-compliance with the request.

3. Handover and receipt of requested data

a) The handover and receipt of data shall be conducted in accordance with the specified subjects, timing, type of data, level of detail, volume of data, frequency of data access, and method of data provision as requested;

b) The participants in the handover and receipt of data shall include the data owner, the legal representative or the person lawfully managing or using the data; and the individual or organizational representative assigned to manage or use the data;

c) The handover and receipt of data must be documented in a written record;

d) The requesting party shall have the right to require the supplying party to supplement the data in case the handed-over data does not conform to the scope of the requested data provision.

4. Cancellation of the data provision request

a) The request for data provision shall be cancelled if the request for data provision is contrary to the provisions of the Law on Data and other relevant laws; the request for data provision has not yet been fulfilled but the conditions for data provision prescribed in Clause 1 Article 18 of the Law on Data no longer exist; the request for data provision has not yet been fulfilled but the data no longer exists due to objective reasons;

b) The cancellation of the data provision request must be documented in a written record.

5. Request for amendment or withdrawal of the data provision request

a) Prior to the designated deadline for data provision, the data owner, the legal representative, or the person lawfully managing or using the data may request the competent authority to amend or withdraw the data provision request;

b) The data owner or data administrator may request the amendment or withdrawal of the data provision request if the request for data provision is contrary to the provisions of the Law on Data and other relevant laws; the scope of data under the management of the data owner or data administrator does not fall within the requested data provision; the data no longer exists due to objective reasons.

6. Competence to request data provision

Ministers, Heads of ministerial-level agencies, Chairpersons of the People’s Committees of provinces and centrally-run cities, the Director of the National Data Center, and Directors of Public Security of provinces and centrally-run cities shall have the competence to request data provision within the scope of their duties and powers.

Article 9. Data confirmation and authentication

1. Data confirmation shall be conducted as follows:

a) Data collected and updated into national databases, sectoral databases, and other databases shall be confirmed by the data owner or data administrator;

b) Data confirmation among state agencies and socio-political organizations shall be carried out through coordination regulations and methods of data connection, sharing, and provision;

c) Except for the cases prescribed at Point a and Point b of this Clause, data confirmation shall be conducted based on the agreement between the data user and the data administrator, the data owner, or another organization in accordance with the law regulations;

d) Data owners and data administrators shall take the responsibility for the quality, reliability, and legality of the data that they provide and confirm; and develop procedures, forms, and organize data confirmation activities.

2. Data owners and data administrators shall independently develop procedures, forms, and organize data authentication activities within the scope of their ownership and management.

3. The scope and duration of data authentication shall be determined by the data owner.

4. Data confirmation and authentication shall be carried out in accordance with the law regulation on electronic authentication and other relevant law regulations.

Article 10. Data disclosure

1. The disclosure of open data shall be carried out immediately after the data is classified as open data. Data owners and data administrators shall disclose open data in the following forms:

a) The National Data Portal;

b) Open data portals, electronic information portals of ministries, sectors, and localities, and other systems and platforms;

c) Intermediary systems serving data connection and sharing or other forms in accordance with the law provisions.

2. State agencies shall publish the list of open data and organize the disclosure of open data under their management, and send such information to the Ministry of Public Security for consolidation and publication on the National Data Portal.

3. Data of state agencies that is not subject to disclosure prohibition due to its relation to national security, privacy, trade secrets, or other reasons as prescribed by law regulations shall be disclosed as open data.

4. State agencies develop and implement decisions on the publication of open data that shall determine the list of open data to be published, the mechanism for collecting and analyzing feedback from individuals and organizations regarding the use of open data; the assessment of the quality, usability, and compliance with law regulations related to open data.

Article 11. Data encryption and decryption

1. Agencies, organizations, and individuals shall use one or more encryption solutions and encryption and decryption procedures appropriate to their data governance and management activities, including:

a) Data encryption solutions for data transmission;

b) Data encryption solutions for data storage;

c) Data encryption solutions on digital devices;

d) Hardware security solutions to prevent unauthorized access and ensure that encryption and decryption operations are performed only within a secure environment;

dd) Decryption procedures requiring authentication and identification of the person performing the data decryption, determination and authorization for access to the encrypted data;

e) Solutions for recording encryption and decryption activities to ensure legality, transparency, fairness, and to facilitate retrieval;

g) Other solutions and procedures as prescribed by laws.

2. The Minister of Public Security shall decide or delegate the authority to decide on the application of measures to decrypt data in the cases prescribed in Clause 4 Article 22 of the Law on Data without requiring the consent of the data owner or data administrator, except for cases within the sectors of military and national defense.

3. The Minister of National Defence shall decide or delegate the authority to decide on the application of measures to decrypt data related to military and national defense in the cases prescribed in Clause 4 Article 22 of the Law on Data without requiring the consent of the data owner or data administrator.

Article 12. Cross-border data transfer and processing

1. When data owners or data administrators need to transfer or process core data or important data across borders, they shall conduct an impact assessment in accordance with Clause 2 of this Article.

The impact assessment for transferring core data or important data abroad or to foreign organizations and individuals shall be conducted once for the entire operational period of the organization or enterprise and updated, supplemented in accordance with Clause 8 of this Article.

2. The transferring party shall conduct an impact assessment addressing the following issues:

a) The legality, necessity, scope, method of data transmission, and the manner of data processing by the receiving party;

b) The risks that the data transfer may pose to national defense, public security, economic activities, foreign affairs, social stability, public interests, or the lawful rights and interests of individuals or organizations; the risk of data being falsified, destroyed, leaked, lost, or unlawfully used;

c) The responsibilities and obligations, and the managerial and technical measures of the receiving party;

d) Other relevant issues.

3. The agreement between the transferring party and the receiving party shall clearly determine:

a) The purpose, method, and scope of data export, and the purpose and method of data processing by the receiving party;

b) The location and duration of data storage, and the measures for data processing after the expiration of the storage period or upon the completion of the agreed purposes;

c) Binding requirements imposed on the receiving party regarding the provision of the transferred data to any third party;

d) The data protection measures to be implemented by the receiving party;

dd) Remedial measures, compensation for damages, responsibility for handling breaches of contractual obligations, and dispute resolution measures related to violations of data protection obligations;

e) The responsibilities of the parties in data processing.

4. The dossier for the impact assessment of cross-border data transfer and processing shall include the Report on Impact Assessment of Cross-Border Data Transfer and Processing (according to Form No. 02 issued together with this Decree) and other relevant documents.

5. If the data transferred and processed abroad is core data:

a) The transferring party shall submit the dossier for the impact assessment of cross-border data transfer and processing to the Ministry of Public Security; in cases falling within the military, national defense, or cryptographic sectors, the dossier shall be submitted to the Ministry of National Defence;

b) The responsible unit under the Ministry of National Defence or the Ministry of Public Security shall receive and examine the dossier for completeness and validity. If the dossier is incomplete, the transferring party shall be requested to supplement and finalize the dossier;

c) The responsible unit under the Ministry of National Defence or the Ministry of Public Security shall complete the assessment of the dossier for the impact assessment of cross-border data transfer and processing within 10 days from the date of receipt of a complete and valid dossier; in the case of a complex dossier requiring verification and inspection, the assessment period shall not exceed 15 days;

d) The transferring party shall be notified in writing of the assessment result. Upon receipt of a satisfactory assessment result, the data administrator shall decide on the transfer of core data abroad and the cross-border processing of data.

6. If the data to be transferred and processed across borders is important data:

The transferring party shall prepare the dossier for the impact assessment prior to the cross-border transfer and processing of data to serve the inspection and assessment activities of the Ministry of Public Security or the Ministry of National Defence when necessary (without requiring prior approval from the competent authority before implementation).

The transferring party shall submit one original dossier to the Ministry of Public Security or the Ministry of National Defence, using the form issued together with this Decree, at least 15 days prior to carrying out the data processing.

7. The impact assessment conducted by the competent authority shall focus on evaluating the risks that cross-border data transfer and processing activities may pose to national security, public interests, or the lawful rights and interests of individuals and organizations, primarily including the following issues:

a) The legality and necessity of the purpose, scope, and method of data transfer and data processing;

b) The impact of data protection policies and cybersecurity regulations of the country or region of the receiving party on the confidentiality of the data; the level of data protection by the receiving party in comparison with the Vietnamese standards and technical regulations applied;

c) The scale, scope, and type of data, and the risks of falsification, destruction, leakage, loss, transfer, or unlawful use after the transfer;

d) The responsibilities and obligations of the relevant parties;

dd) Other issues affecting national defense, public security, the protection of national interests, public interests, and the lawful rights and interests of data subjects and data owners in accordance with Vietnamese law and international treaties to which the Socialist Republic of Vietnam is a party.

8. The transferring party shall amend or supplement the dossier for the impact assessment of cross-border data transfer and processing in the following cases:

a) When there is any change in the purpose, method, scope, or type of data transferred or processed; any change in the purpose or method of data processing by the receiving party affecting data security and safety; any extension of the storage period of core data or important data;

b) Changes in data protection policies and cybersecurity regulations in the country or region where the receiving party is located, changes in the actual control of the transferring party or the receiving party and other impacts on the confidentiality of the transferred data.

9. The Ministry of National Defence and the Ministry of Public Security shall decide to require the transferring party to cease cross-border transfer and processing of core data or important data in the following cases:

a) Core data or important data that has been transferred and processed across borders is used for activities infringing upon national defense, public security, national interests, public interests, or the lawful rights and interests of data subjects and data owners in accordance with Vietnamese law and international treaties to which the Socialist Republic of Vietnam is a party.

b) The transferring party fails to comply with the provisions of this Article;

c) There are acts violating the regulations on data protection.

10. The quantification of core data and important data in cross-border data transfer and processing shall be determined based on the accumulated volume of data that has been transferred and processed across borders, calculated from July 1, 2025, to the time of data transfer and processing.

11. Cases of cross-border transfer and processing of core data that do not require prior approval from the competent authority under Clause 5 of this Article and cases of transfer and processing of important data that are not subject to notification to the competent authority under Clause 6 of this Article shall include:

a) In emergency situations genuinely necessary to provide personal data abroad to protect the life, health, and property safety of individuals; to perform duties and obligations as prescribed by laws;

b) When performing cross-border personnel management in accordance with labor rules, labor regulations, and collective labor agreements as prescribed by laws;

c) In cases genuinely necessary to provide data for the purpose of concluding or performing a contract, including contracts related to cross-border transportation, logistics, remittances, payments, opening bank and hotel accounts, visa applications, and verification services.

12. In cases of cross-border transfer and processing of core data or important data as prescribed in Clause 11 of this Article, the impact assessment shall be submitted to the Ministry of Public Security (or the Ministry of National Defence for data under its management) in accordance with Clause 4 of this Article within 15 days from the date of implementation.

Article 13. Other activities in data processing

1. Data retrieval, deletion, and destruction

a) Data retrieval means the act of requesting the return of data and performing the deletion or destruction of the provided data, or requesting the cessation of processing and use of the data if the request for deletion or destruction is not possible.

Data deletion means the activity of removing data from the structure or environment in which it is stored.

Data destruction means the activity of removing data from the structure or environment in which it is stored and ensuring the irrecoverability by means of overwriting or physical destruction.

b) Data deletion and destruction shall be carried out within 72 hours after receiving the request of the data subject and the result of data retrieval, deletion, or destruction shall be notified to the data owner, unless otherwise provided by laws. If data cannot be deleted or destroyed, the data owner or data administrator shall cease processing and using the data.

2. Data adjustment and updating mean the activities of supplementing or modifying one or more data records in the database or information system.

Chapter III

DATA GOVERNANCE, MANAGEMENT, AND PROTECTION

Article 14. Data governance and management

1. The Ministry of Public Security shall promulgate the overall Data Governance and Management Framework to be uniformly applied by state agencies connected to and sharing data with the National Data Center.

2. Agencies managing databases that connect and share data with the National Data Center shall develop the detailed Data Governance and Management Framework applicable to the databases under their management, ensuring consistency with the overall Data Governance and Management Framework promulgated by the Ministry of Public Security.

3. Agencies managing databases shall develop the detailed Data Governance and Management Framework including the following main contents:

a) Mechanism for managing master data and shared catalog code tables;

b) Mechanism for managing data processing activities; plans for data storage expansion and backup;

c) Data quality assessment; application of standards and technical regulations on data quality, data connection, and data sharing;

d) Mechanism for managing data specification information (metadata);

dd) Data architecture and data models;

e) Mechanism for data connection and sharing;

g) Mechanism for data protection;

h) Mechanism for data development, exploitation, and use;

i) Mechanism for implementation, control, and monitoring.

4. Management of master data and shared catalog data

a) Agencies managing databases shall promulgate the list of master data and shared catalog data on the basis of coordination and agreement with the Ministry of Public Security;

b) The contents of master data governance and management shall include the principles for assigning identification codes; the basic information for describing, identifying, and distinguishing specific objects within the master data; the procedures for creating and updating master data; the selection of technologies and tools to ensure that master data is collected, updated, exploited, and used accurately, consistently, and comprehensively; the implementation of creation, updating, and management of master data; connection and sharing of master data into the National Synthetic Database; coordination with the Ministry of Public Security to monitor and reconcile in order to ensure the quality of master data across the entire system;

c) Master data in national databases and other databases of agencies assigned the responsibility for creating and managing master data shall have official validity equivalent to paper documents provided by competent authorities;

d) The Ministry of Public Security shall develop policies for managing master data to be synchronized into the National Synthetic Database; develop procedures for collecting, updating, deleting, using, sharing, and coordinating master data within the National Synthetic Database; clearly define functions and responsibilities for the quality and integrity of master data; and monitor the quality of master data.

5. State agencies implementing information technology projects related to national databases or sectoral databases shall obtain opinions from the Ministry of Public Security (the National Data Center) regarding the contents of data development, protection, governance, processing, and use, in order to avoid waste and ensure the consistency and synchronization in the implementation.

Article 15. Identification and management of risks arising in data processing

1. Types of risks arising in data processing shall include:

a) Privacy risks arising from non-compliance with law provisions on the privacy rights of data subjects during data processing and transfer;

b) Cybersecurity risks arising from the failure to apply necessary measures to protect non-public data from unauthorized access by external parties or from data leakage;

c) Risks of identification and access management arising from the failure to ensure the protection of non-public data against unauthorized access;

d) Other risks in data processing, including: risk of data sharing arising from the inability to maintain control over shared data; risk of data management arising from inadequate data quality.

2. A number of measures for preventing risks arising in data processing shall include:

a) Performing regular data backups and ensuring their security;

b) Định kỳ bảo trì, bảo dưỡng, nâng cấp hệ thống nhằm duy trì và cải thiện hiệu suất, tính năng, tính bảo mật và tính nhất quán của hệ thống cơ sở dữ liệu; có biện pháp ứng phó khôi phục hệ thống để bảo đảm tính liên tục của hệ thống;

b) Periodically maintaining, servicing, and upgrading the system to maintain and improve the performance, functionality, security, and consistency of the database system; implementing system recovery measures to ensure the continuity of system;

c) Implementing data protection measures in accordance with regulations;

d) Strictly assigning access rights for each type of data to prevent unauthorized data access;

dd) Utilizing intrusion detection and monitoring systems to track network activities and detect abnormal behavior or unauthorized access;

e) Installing and maintaining security software;

g) Conducting annual periodic risk assessments to determine system loopholes and apply corresponding measures of risk prevention;

h) Developing incident response plans and procedures to proactively and promptly respond to and remediate incidents;

i) Providing training, capacity building, and instruction on data protection skills, methods for identifying threats, and procedures for handling detected security risks; regularly conducting drills for incident prevention, monitoring, detection, and ensuring timely response and remediation of incidents;

k) Other measures as prescribed by laws.

Article 16. Data protection

1. State agencies shall organize the management and protection of data within their scope of management, including establishing systems for management, monitoring, risk assessment, and early warning throughout the entire process of data processing; implement appropriate delegation and assignment of access rights for different types of data, ensuring compliance with general policies on data protection.

Data administrators that are not under state agencies are encouraged to develop their own regulations on the protection of data under their management.

2. The protection of core data and important data that constitutes personal data shall be carried out in accordance with the provisions of the Law on Data and this Decree.

In cases of cross-border transfer and processing of core data and important data, and the management and protection of core data and important data that constitutes personal data, the provisions of Article 12 and Clause 11 Article 17 of this Decree shall apply; no impact assessment under the law on personal data protection shall be required.

3. Data administrators that provide or entrust the processing of core data or important data to organizations or individuals not subject to Article 12 of this Decree shall comply with the following requirements:

a) Reaching an agreement with the receiving party regarding the purpose, method, scope, and obligations of security protection through a contract, and monitoring the performance of the receiving party’s obligations. The dossier relating to the processing of important data provided or entrusted to other receiving parties shall be retained for at least 3 years;

b) When providing or entrusting the processing of core data or important data, the data administrator shall encrypt, digitally sign, and implement other security measures to ensure the confidentiality, integrity, and non-repudiation;

c) The receiving party of core data or important data shall fulfill the obligations of data protection and strictly process the core data or important data in accordance with the agreed purpose, method, and scope.

4. Data protection measures shall include:

a) Management activities related to data processing, including: developing policies, regulations, and criteria for assessing data safety and security to ensure compliance with technical standards, regulations, data protection provisions, and other management measures as prescribed by laws;

b) Technical measures related to data processing: ensuring physical security, access control, cybersecurity inspections, and other technical measures as prescribed by laws;

c) Management of human resources for data protection: developing regulations on personnel management and training human resources for data protection;

d) Other data protection measures as prescribed by laws.

Article 17. Data management and protection during the process of data processing

1. Data administrators shall establish the management system for data protection throughout the entire process of data processing.

2. Data administrators shall implement data protection measures during the collection and creation of data. For core data and important data, data administrators shall carry out the following activities:

a) Developing procedures for data collection and creation, assessing and applying protection measures prior to data collection and creation;

b) Verifying the authenticity, monitoring the quality of data, and tracing the provenance of data.

3. Data administrators shall store data in the manner and for the duration as prescribed by laws. For core data and important data, data administrators shall carry out the following activities:

a) Developing the procedures of data storage, including provisions on data backup, recovery procedures, storage logging, data backup and recovery;

b) Developing the management system of data storage and applying tools and technical measures to protect data during storage, including the automated execution of data backup and recovery;

c) Deleting or destroying data upon the expiration of the storage period or when the data is no longer necessary for processing purposes.

4. When processing and using core data or important data, data administrators shall:

a) Develop and implement regulations on data access and retrieval to ensure compliance with the principles of least privilege during data processing and use;

b) Develop the control system of data access, including establishing a management platform of unified access and identity; apply technical measures to protect data, control access and retrieve data during the process of data processing and use.

5. Data administrators shall clarify the scope, purpose, and procedures, develop the regulations on data protection, and apply protection measures based on the classification, level, purpose, and use cases of the data provided to external parties.

6. Data owners shall analyze and assess the impact on national defense, public security, foreign affairs, macroeconomics, social stability, public health, and public safety prior to disclosing data.

7. Data owners and data administrators shall develop plans for data deletion and destruction, clearly defining the objectives, principles, procedures, techniques for deletion and destruction, recording and retaining documentation of deletion and destruction activities. In cases of deletion or destruction of important data or core data, the data administrator shall maintain documentation evidencing that the deletion or destruction activities have ensured the data is irrecoverable.

8. If the data administrator intends to transfer data due to reorganization, dissolution, or bankruptcy, a clear data transfer plan must be established and notified to the affected agencies, organizations, or individuals.

In cases of reorganization or dissolution of an organization managing core or important data, the data administrator must implement data safety measures and report the data processing plan, including the name or information of the receiving party, to the relevant competent authorities.

9. If the data administrator delegates data processing activities to another organization or individual, the responsibilities and obligations of data confidentiality of both the delegating party and the entrusted party must be clearly defined through a contract or delegation agreement. If the processing of important data or core data is delegated, the delegating party must verify the capacity and qualifications of data protection of the entrusted party.

10. The controller of core data and important data must log all data processing activities throughout the entire process of data processing. These logs must be retained for a minimum period of six months.

11. The controller of core data and important data must conduct an annual risk assessment of core and important data processing activities within their management scope, establish and store the risk assessment report in accordance with the template issued together with this Decree and keep them readily available for inspection and evaluation by competent authorities, except in cases that the impact assessment dossier of cross-border data transfer and processing has already been established in accordance with Article 12 of this Decree. The risk assessment report shall include:

a) Basic information about the data administrator, information about the unit performing the function of data security, as well as the name and contact details of the person taking the responsibility for data protection;

b) The purpose, type, volume, method, scope, storage duration, location of data storage, data processing activities and the context in which such data processing activities are carried out.

c) The management system of data protection, technical measures of encryption, backup, labeling, access control and authentication, and other necessary measures;

d) Detected data security risks, data security incidents that have occurred, and the corresponding resolution measures taken;

dd) Other reporting contents as required by relevant competent authorities.

Article 18. Personnel management and personnel training for data protection

1. Data owners and data administrators of core data and important data must designate a person taking the responsibility for data protection and establish the protection unit of data security.

2. The person taking the responsibility for data protection shall perform the function and task of managing and protecting core data and important data, including the organization and development of important data protection plans and the conduct of risk assessments; directly report on the status of data protection to competent authorities in accordance with regulations; undergo training and professional development in data protection.

3. The protection unit of data security shall have the following functions and responsibilities:

a) To develop and implement the management system of data protection, operational procedures, and emergency incident response plans for data protection;

b) To periodically organize and conduct activities such as data security risk monitoring, risk assessment, emergency drills, awareness campaigns, education, training, and timely response to data security risks and incidents;

c) To conduct research and propose decisions related to the protection of core data and important data;

d) To receive and handle data protection reports submitted by internal units.

4. Data owners and data administrators of core data and important data shall:

a) Define security management requirements in the processes of recruitment, employment, training, recommendation, rotation, resignation, evaluation, and selection of personnel;

b) Not assign individuals with prior criminal records in the fields of information technology or telecommunications to serve as Data Protection Officers;

c) Execute confidentiality responsibility agreements with data-processing personnel.

5. Develop and implement annual training programs on data protection.

6. The Data Protection Officer may reach the agreement with the data owner and the data administrator regarding exemptions from responsibility in the event of damage to the protected data.

Article 19. Data Security Monitoring, Early Warning, and Emergency Management

1. The scope of data security monitoring, early warning, and emergency management shall include:

a) Establishment of data security risk monitoring mechanisms;

b) Organization of the development of monitoring interfaces and standards;

c) Development of mechanisms for reporting and sharing information on data security risk, ensuring standardized collection, analysis, evaluation, and reporting information on data security risk;

d) Formulation of emergency response plans for data security incidents.

2. The Ministry of Public Security shall conduct data security monitoring, early warning, and emergency management, except for the contents prescribed in Clause 3 of this Article.

3. The Ministry of National Defence shall conduct data security monitoring, early warning, and emergency management with respect to data under its scope of management.

4. The data administrators shall:

a) Promptly notify the data owner of data security incidents that may adversely affect the lawful rights and interests of individuals or organizations, and propose measures to mitigate damages;

b) In the event of a data security incident, promptly implement emergency response measures in accordance with the established emergency response plan, and report security incidents related to important data and core data to the Ministry of Public Security and the Ministry of National Defence at the earliest possible time.

5. The Ministry of Public Security shall establish the monitoring mechanisms of data security risk, develop the standards of data security monitoring and early warning, coordinate the development of technical tools for monitoring and early warning of data security, build capabilities for monitoring, early warning, incident handling, and traceability, and enhance information sharing with relevant units.

The data administrators shall conduct data security risk monitoring, promptly investigate potential security risks, and implement necessary measures to prevent data security risks.

6. The Ministry of Public Security shall develop mechanisms for reporting and sharing information on data security risk, standardize the processes of collecting, analyzing, evaluating, and reporting information on data security risk, and encourage security service providers and scientific research organizations to share information on data security risk.

The data administrators shall summarize and analyze data security risks within their scope of management and promptly report risks that may lead to major security incidents to the Ministry of Public Security.

7. The Ministry of Public Security shall develop an emergency response plan for data security incidents, including the structure and responsibilities of organizing emergency response, classification and categorization of data security incidents, monitoring and early warning, emergency response procedures, measures of protection, and organize the coordination in responses to important data incidents and core data security.

8. The data administrators shall conduct contingency plan drills for critical and core data security incidents, organize emergency drills on a semi-annual basis, maintain drill records and summary reports, and promptly update contingency plans in response to significant changes in the data processing system or the external environment.

Chapter IV

NATIONAL DATA CENTER, NATIONAL SYNTHETIC DATABASE

Article 20. Infrastructure of the National Data Center

1. The information systems of the National Data Center shall be segregated from development, testing, and trial systems; ensure security and confidentiality in accordance with classified levels, in order to control, detect, and prevent risks to information security and safety.

2. The National Data Center shall develop and expand cloud computing infrastructure and implement it through functional zones to meet the needs of state agencies, ensuring the development of integrated and synchronized subsystems, data exploitation, and high-level information security requirements.

3. The National Data Center shall establish high-performance computing infrastructure and data analytics systems supporting administrative management through predictive analytics models to facilitate the exploitation of the National Synthetic Database; provide technical conditions to support research and development in the field of applied mathematics; support the formulation of mechanisms, policies, planning, and national development strategies, as well as the development of data-related products and services to promote socio-economic development.

4. The National Data Center shall establish the National Data Portal as the central platform through which state agencies disclose information on the types of data under their management; publish and provide open data to enhance transparency in governmental operations and promote innovation, economic, and social development; to enable organizations and individuals to provide data for purposes serving the public interest, improving public service delivery, informing public policy-making, or conducting scientific research for the common good; to facilitate access, search, discovery, and use of open data by agencies, organizations, and individuals.

5. The National Data Center shall develop digital device applications to facilitate the data exploitation and use of the National Data Center, provide data-related products and services, and develop additional utilities to serve agencies, organizations, and individuals.

6. The National Data Center shall establish a communication system with individuals and organizations to support the operations of the National Data Center.

7. The National Data Center shall provide the following types of services:

a) Station infrastructure services, server location, provision of infrastructure space, power systems, air conditioning, and other related equipment for the implementation of database information systems, enabling database controllers, agencies, and organizations in need to proactively operate and manage their own systems by means of shared space utilization or private area allocation, in compliance with regulations on the management and operation of the National Data Center.

b) Provision of services involving servers, network devices, network information security, cybersecurity, data protection, or storage with various configurations, together with corresponding colocation space at National Data Center, in conformity with the needs of the database owners, competent authorities, or relevant organizations;

c) Implementation and operation services of technical infrastructure serving national databases and information systems of databases, as well as other databases and information systems.

8. State agencies and socio-political organizations shall determine the type of services provided by the National Data Center as prescribed in Clause 7 of this Article, ensuring conformity with the actual conditions, operational requirements, and regulations on investment in information technology projects using state budget funds, and submit a written request to the National Data Center for service provision. The written request must clearly determine the service requirements from the National Data Center; the projected scale of the system to be hosted at the National Data Center; the need for personnel to support the administration and operation of the infrastructure and information systems.

9. The Minister of Public Security shall provide guidance on the provision and implementation of services of the National Data Center upon the satisfaction of infrastructure conditions.

Article 21. Responsibilities of the National Data Center

1. To provide guidance for agencies, organizations, and individuals on the application of data standards and technical regulations within the scope of synchronization to the National Data Center.

2. To implement monitoring and evaluation measures regarding the quality of data shared and synchronized with the National Data Center.

3. To coordinate data of the National Synthetic Database.

4. To implement data protection measures to be applied from the outset and throughout the process of data processing in accordance with Clause 6, Article 16 of this Decree.

5. To enter into agreements and memoranda of understanding with international agencies and organizations to promote international cooperation in data management and protection, scientific research, cross-border data transfer, training and enhancement of capacity and expertise in data-related matters with a view to promoting innovation activities and technology transfer in service of socio-economic development.

6. To assist the Ministry of Public Security in performing state management over data.

Article 22. Ensuring resources for building and developing the National Data Center

1. The National Data Center shall develop training programs, international cooperation initiatives, and capacity-building plans to enhance the quality of its human resources.

2. Officers and personnel working at the National Data Center shall receive a support allowance of VND 500,000 per working day, funded from the revenues collected from the exploitation and use of data in the National Synthetic Database, after remittance to the state budget.

Public service units and organizations under the National Data Center may apply this support scheme in determining the entitlements for personnel engaged in professional data-related activities.

3. The Minister of Public Security shall promulgate the list of job positions at the National Data Center; issue mechanisms for attracting, appointing, and providing incentives for high-quality human resources working at the National Data Center.

Article 23. Exploitation and use of the National Synthetic Database

1. Exploitation through direct connection and information sharing with the National Synthetic Database

a) The National Data Center shall grant accounts to agencies and organizations for access and exploitation of information within the National Synthetic Database;

b) Agencies and organizations granted accounts by the National Data Center shall create and manage their own accounts on their information systems connected to the National Synthetic Database, and assign user permissions to individuals under their management in accordance with their assigned functions and duties;

c) Individuals authorized to use personal accounts under agencies or organizations shall use such accounts to search and exploit citizen information in the National Synthetic Database via the information systems of their respective agencies or organizations;

d) The information systems of agencies and organizations shall send information exploitation requests to the National Synthetic Database via the accounts granted by the National Data Center. The exploited information shall be presented in the form of paper or electronic documents and stored within the connected inforstored within the information systems connected to, shared with, and used for exploiting the data;

dd) The National Data Center shall verify and authenticate account information and provide data exploitation results upon request, in accordance with the exploitation rights and scope of information authorized for the account.

2. Agencies, organizations, and individuals shall exploit information in the National Synthetic Database through the National Data Portal, the National Public Service Portal at the National Data Center, and via devices, means, and software in accordance with the guidance of the Ministry of Public Security.

3. Agencies, organizations, and individuals shall exploit information in the National Synthetic Database through electronic portals and information systems for administrative procedure resolution, in accordance with the guidance of ministries, ministerial-level agencies, government-attached agencies, and People's Committees of provinces and centrally-run cities.

4. Exploiting via written requests for information exploitation and provision

a) Agencies, organizations, and individuals shall submit a written request for information exploitation and provision in the National Synthetic Database to the National Data Center;

b) The written request for information exploitation and provision must clearly state the purpose, content, and scope of the information to be exploited in the National Synthetic Database, and must include a declaration of responsibility for the use of the exploited information and other relevant details;

c) Within 3 working days from the date of receipt of the written request for exploitation and use of information in the National Synthetic Database, the competent authority shall review and decide whether to grant permission for such exploitation and use;

d) If permission for exploitation and use of information is granted, a written response shall be issued along with the provision of the requested information to the agency, organization, or individual. In case of denial, a written response shall be issued and clearly state the reasons for refusal.

5. The National Synthetic Database shall serve the implementation of administrative procedures:

a) Automatically carrying out administrative procedures, regimes, and policies for individuals and organizations when the information and data required for consideration and resolution of such procedures are fully available in the National Synthetic Database. Competent authorities and officials shall proactively resolve administrative procedures, regimes, and policies for individuals and organizations based on the information and data connected to, shared from, and exploited through the National Synthetic Database, with the consent of the concerned individuals or organizations;

b) Exploiting, reusing data, developing centralized online public services on the National Public Service Portal, ensuring the simplicity, seamlessness, user-friendliness, cost-effectiveness, and efficiency;

c) Connecting and sharing data between the National Synthetic Database and the information systems for administrative procedure resolution at ministerial and provincial levels to support the receipt and resolution of administrative procedures for individuals and organizations, ensuring that individuals and organizations are not required to declare or resubmit information or documents already available in the National Synthetic Database; fully synchronizing data on digitized dossiers and results of administrative procedure resolution from ministerial-level and provincial-level information systems, as well as from national and sectoral databases managed by ministries, agencies, and localities with the National Public Service Portal and the National Synthetic Database to serve the exploitation and reuse of data, ensuring that individuals and organizations are required to provide information, data, and documents to state agencies only once when implementing administrative procedures and public services.

Article 24. Data connection and sharing with the National Synthetic Database

1. Administrators of databases of state agencies, when developing databases connected to the National Data Center, shall comply with the guidance of the National Data Center to ensure proper data connection and sharing.

2. The National Data Center and the database management agency shall develop an agreement on data connection and sharing, including the following contents:

a) Purpose of data sharing;

b) Scope of data to be shared;

c) Method of data connection and sharing;

d) Timing and frequency of data sharing;

dd) Other related matters.

3. Methods of data sharing

a) Data sharing between databases of state agencies shall be implemented through the Data Sharing and Coordination Platform of the National Data Center and other data integration and sharing platforms;

b) Data sharing between organizations, individuals, and the National Synthetic Database shall be implemented via the Data Sharing and Coordination Platform, data portals, file transfers, and other methods as agreed upon by the parties in the arrangement on data sharing.

4. The National Data Center shall monitor data sharing activities through a monitoring system in order to evaluate the provision and use of data.

Article 25. Provision of data to the National Synthetic Database

1. Organizations and individuals that are not state agencies shall provide data to the National Synthetic Database through an agreement with the National Data Center. The agreement on data provision must clearly determine the purpose of data provision; the scope of data to be provided; the method of data provision; the timing and frequency of provision; and other related matters.

2. Responsibilities of database management agencies in providing data for the National Synthetic Database

a) To synchronize data with the National Synthetic Database in accordance with Clause 1, Article 34 of the Law on Data;

b) To synchronize master data and data serving administrative procedure resolution on the National Public Service Portal, within the scope of management, immediately upon any modification or update, into the National Synthetic Database;

c) For other types of data, synchronization shall be implemented upon modification or update according to the agreement with the National Data Center.

3. The National Data Center shall coordinate with database management agencies to implement appropriate technical measures to ensure that when master data is modified, the data in all referencing databases is correspondingly synchronized.

Chapter V

RESPONSIBILITIES OF AGENCIES AND ORGANIZATIONS

Article 26. Responsibilities of the Ministry of Public Security

1. To assume the prime responsibility for, and coordinate with relevant agencies to organize the implementation, provide guidance, conduct inspections, and urge the implementation of this Decree.

2. To assume the prime responsibility for, and coordinate with relevant agencies to manage activities related to the development, construction, protection, governance, processing, and use of data; ensure data security, prevent and combat crimes and legal violations in the field of data; manage, monitor, and supervise business activities related to data products and services in accordance with the provisions of this Decree.

3. To assume the prime responsibility for, and coordinate with relevant agencies to implement the development of the National Data Center in compliance with regulations, standards, and technical specifications applicable to data centers.

4. To assume the prime responsibility for formulating, promulgating, or submitting to competent state authorities for promulgation, and provide guidance on the implementation of legal normative documents for the enforcement of data-related legal provisions.

5. To assume the prime responsibility for, and coordinate with the Ministry of Justice, the Government Office, the Ministry of Science and Technology, and relevant agencies to review and consolidate proposals for the Government to direct ministries, agencies, and localities in developing, amending, and supplementing documents related to the implementation and operational governance of the National Data Center.

6. To organize the implementation of data connection, sharing, and coordination between information systems, databases of agencies, organizations, and individuals and the National Synthetic Database through the Data Sharing and Coordination Platform of the National Data Center.

7. To ensure information technology infrastructure for Party and State agencies, and socio-political organizations to support the management, governance, and processing of data within their respective scopes at the National Data Center.

8. To assume the prime responsibility for, and coordinate with the Ministry of Science and Technology to appraise, evaluate, inspect, support monitoring, and coordinate incident response related to cybersecurity and information safety during the development, implementation, and operation of information systems and databases at the National Data Center.  

9. To assume the prime responsibility for, and coordinate with the Ministry of Science and Technology to develop technical standards, regulations, or technical guidelines on the organization, connection, sharing, and synchronization of data with the National Data Center.

10. To develop architectural standards for software systems at the National Data Center.

11. To provide guidance on data classification for Party and State agencies, and socio-political organizations; organize and direct training and capacity-building programs on data-related expertise and professional skills nationwide.

12. To develop and operate the National Data Portal.

13. The Minister of Public Security shall determine the expenditure levels for activities supporting funding for data connection and sharing; support the compensation of costs for data creation and collection based on consensus with the Minister of Finance and the Minister of Science and Technology.

Article 27. Responsibilities of the Ministry of National Defence

1. To take the responsibility to the Government for performing state management over data within its scope of management.

2. To coordinate with the Ministry of Public Security and relevant agencies and organizations to prepare appropriate personnel and means to early detect and prevent any acts of intrusion into the National Data Center, both geographically and in cyberspace.

3. To assume the prime responsibility for managing data storage and protection activities, ensuring data security; managing, monitoring, supervising, and organizing the implementation of data connection, sharing, and coordination among information systems and databases; applying scientific methods in data processing, management, exploitation, and use; managing and licensing cross-border data transfers; and utilizing the national data development fund for data under the management scope of the Ministry of National Defence.

Article 28. Responsibilities of the Ministry of Science and Technology

1. To provide guidance for Party and State agencies, and socio-political organizations on the development and improvement of information technology infrastructure and the formulation of technical standards and regulations on data organization, connection, sharing, and synchronization; implement data standardization, connection, sharing, and optimization between investing in new infrastructure and utilizing infrastructure provided by the National Data Center.

2. To review and assess the capacity of dedicated data transmission networks of agencies to develop upgrade plans, enabling units to access and manage systems hosted at the National Data Center through dedicated data transmission networks.

3. To coordinate with the Ministry of Public Security and relevant agencies in researching, mastering, and applying digital technologies and digital data to develop products and services that support the advancement of digital government, digital administration, and socio-economic development through national-level key science and technology programs.

4. To coordinate with the Ministry of Public Security in determining expenditure levels for activities supporting funding to ensure data connection and sharing; supporting the compensation of costs for data creation and collection.

Article 29. Responsibilities of the Government Office

1. To assume the prime responsibility for developing functional, operational, and interface requirements; supporting and guiding ministries, sectors, and localities in addressing issues related to functions, professional processes, and data of the National Public Service Portal; coordinating with the Ministry of Public Security in managing and operating the National Public Service Portal at the National Data Center; performing other tasks related to the development of the National Public Service Portal as assigned by the Government and the Prime Minister; managing and operating the National Database on administrative procedures.

2. To coordinate with the Ministry of Public Security and relevant units to assess the demand and implement the migration of information technology infrastructure for information systems serving the direction and administration of the Government and the Prime Minister to be hosted at the National Data Center.

Article 30. Responsibilities of the Government Cipher Committee

1. To assume the prime responsibility for, and coordinate with relevant agencies to implement data encryption and decryption products.

2. The Government Cipher Committee shall assist the Minister of National Defence in performing tasks of state management related to cipher data.

3. To coordinate with the Ministry of Public Security to implement solutions ensuring safety, authentication, and information security using cryptographic methods; implement authentication services of government-specific digital signature for information systems and databases of Party and State agencies, and socio-political organizations.

Article 31. Responsibilities of the Ministry of Finance

1. To coordinate with the Ministry of Public Security in determining expenditure levels for activities supporting funding to ensure data connection and sharing; supporting the compensation of costs for data creation and collection.

2. To promulgate the Circular prescribing the collection of charges for exploitation and use of information in the National Synthetic Database, national databases, and sectoral databases, based on proposals from ministries and ministerial-level agencies.

Article 32. Responsibilities of Ministries, ministerial-level agencies, government-attached agencies, and People's Committees of provinces and centrally-run cities

1. To assume the prime responsibility for, and coordinate with the Ministry of Public Security, the Ministry of National Defence, and relevant agencies to manage activities related to the collection, updating, modification, duplication, sharing, transfer, deletion, destruction, storage, and protection of data within their respective scopes of management.

2. To synchronize data within their scope of management to the National Data Center in accordance with the provisions of this Decree, and coordinate with the Ministry of Public Security to conduct monitoring and reconciliation to ensure the accuracy of data.

3. Ministries, sectors, and localities shall coordinate with the Government Office, the Ministry of Public Security, and relevant units to restructure processes and amend legal documents in accordance with the roadmap for data collection, updating, and synchronization with the National Synthetic Database.

4. To upgrade, maintain, and repair their infrastructure and equipment when utilizing the infrastructure of the National Data Center.

5. To propose to the Ministry of Finance the rates, collection, exemption, reduction, management, and use of charges for exploitation and use of information in the National Synthetic Database, national databases, and sectoral databases under their respective sectors and fields of management.

Chapter VI

IMPLEMENTATION PROVISIONS

Article 33. Effect

This Decree takes effect from July 1, 2025.

Article 34. Implementation responsibilities

Ministers of ministries, heads of ministerial-level agencies, heads of government-attached agencies, chairpersons of the People’s Committees of provinces and centrally governed cities, and relevant agencies, organizations, and individuals shall implement this Decree./.

* All Appendices are not translated herein.